[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sources List and Some Updates



Folks,

A couple of updates and then the first comprehensive draft of our sources list for your review and comments.

We have been and are continuing to pursue the possibility of hosting a face-face meeting at Black Hat.  Several moving pieces here and we'll let you all know as soon as we know.  Either way, we'll definitely be hosting a teleconference to discuss things.

Regarding several of the ideas that have been suggested recently (i.e. focusing on products, metrics, increasing CNA involvement, how to cover things like Linux):
a) We are working on a list of "must have" products that we will be circulating soon. 
b) We are discussing the other issues internally and will have some further thoughts out soon.

Thank you all for your input and engagement on this.


And now, for the list of sources.

We are grouping the sources into 2 major groups: those that should be "fully covered" and those that should be "partially covered".

"Full Coverage" means that for nearly all issues disclosed by the source that could be associated with a CVE entry, there will be an associated CVE entry, regardless of the criticality of the issue.

"Partial Coverage" means that the source will be actively monitored but issues will be processed and associated with CVE entries based on a variety of editorial judgments such as criticality. 

As a bridge to the products discussion, we've further sub-divided each of these lists into 2 sub-lists: "Vendor" and "Other".

"Vendor" means the source can be associated with a vendor or primary maintainer of a product or set of products.

"Other" is a catch-all for things like vulnerability databases, mailing lists and advisories from coordination centers, which tend to disclose vulnerability information from many different vendors.

CAVEAT 1: We (MITRE) actively monitor many sources beyond this list.  These sources include things like blogs from vulnerability researchers, conference proceedings and media outlets. The set of such sources that prove to be productive and useful to monitor changes on such a regular basis that we don't feel it would be useful to list them all out specifically.

CAVEAT 2: We have demoted and promoted several sources based on our experience with them. We are happy to discuss adding or removing sources and promoting or demoting sources but, like many of you, we think we're getting to the point of needing to discuss verbally. In particular, it bears mentioning that we are specifically not monitoring some sources that have been mentioned.  Some have disappeared or have been rolled into other sources and some are behind "pay walls" and thus are not considered publicly disclosed.  Examples include (but are not limited to) the old CERT-CC Advisories and VUPEN.


FULL COVERAGE SOURCES - VENDOR RELATED
======================================
Adobe
Apache Software Foundation: Apache HTTP Server
Apple
Attachmate: Novell
Attachmate: SUSE                                        
Blue Coat - kb.bluecoat.com
CA - support.ca.com
Check Point: Security Gateways product line (supportcenter.checkpoint.com)
Cisco: Security Advisories/Responses
Citrix - support.citrix.com
Debian
Dell Desktop/Notebook product lines
Dell SonicWALL Network Security product line - Service Bulletins
EMC, as published through Bugtraq
F5 - support.f5.com
Fortinet FortiGate product line (kb.fortinet.com)
Fujitsu Desktop/Notebook product lines
Google: Google Chrome (includes WebKit)
HP: Security Bulletins                         
IBM: issues in IBM ISS X-Force Database
Internet Systems Consortium (ISC)
Juniper: juniper.net/customers/support (JunOS?)
Lenovo Desktop/Notebook product lines
McAfee - kc.mcafee.com
Microsoft: Security Bulletins/Advisories
MIT Kerberos
Mozilla
OpenSSH
OpenSSL
Oracle: Critical Patch Updates
RealNetworks (real.com)
Red Hat                                      
RIM/BlackBerry- blackberry.com/btsc
Samba Security Updates and Information
SAP - scn.sap.com/docs/DOC-8218
Sendmail
Sophos - sophos.com/support/knowledgebase
Symantec: Security Advisories
Ubuntu (Linux)                              
VMware
Websense - websense.com/content/support.aspx



FULL COVERAGE SOURCES - OTHER
=============================
HP: TippingPoint DVLabs
HP: TippingPoint Zero Day Initiative
ICS-CERT: ADVISORY
MITRE CNA open-source requests
US-CERT: Technical Cyber Security Alerts
VeriSign iDefense


PARTIAL COVERAGE SOURCE - VENDOR RELATED
========================================
Android (associated with Google or Open Handset Alliance)
Apache Software Foundartion: Apache Tomcat
Apache Software Foundation: other
CentOS
Check Point: checkpoint.com/defense/advisories/public/summary.html
Cisco: Release Note Enclosures (RNE)
Drupal
Fedora
FoxIt Support Center - Security Advisories
FreeBSD                                     
Gentoo (Linux)                              
Google: other (not Chrome or Android)
IBM ISS X-Force for non-IBM products
IBM: issues not in IBM ISS X-Force Database
Joomla!
Juniper - JTAC Technical Bulletins
kernel.org
Mandriva                                    
NetBSD                                      
OpenBSD                                     
PHP core language interpreter
SCO     
TYPO3
WordPress


PARTIAL COVERAGE SOURCES - OTHER
================================
attrition.org/pipermail/vim
AusCERT                   
Core Security CoreLabs
DOE JC3 (formerly DOE CIRC and CIAC)      
Full Disclosure                             
HP: TippingPoint Pwn2Own
http://www.exploit-db.com/ 
ICS-CERT: ALERT
Juniper: J-Security Center - Threats and Vulnerabilities
Microsoft: Vulnerability Research (MSVR)
oss-security
OSVDB                                       
Packet Storm
Rapid7 Metasploit
Secunia
SecuriTeam
SecurityTracker                             
Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1)       
Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid)          
United Kingdom CPNI (formerly NISCC)                                 
US-CERT: Vulnerability Notes



-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================



Page Last Updated or Reviewed: November 06, 2012